Self-installation of Nemesida WAF Free

 

As an alternative to the ModSecurity Web Application Firewall (WAF), we recommend considering Nemesida WAF. It offers two versions: a commercial one with machine learning support and a free version, Nemesida WAF Free, which uses signature analysis to detect attacks. While the commercial version's capabilities are beyond the scope of this article, you can learn more about its features and pricing on the official website (https://waf.pentestit.ru/). In this article, we'll focus on the free version of Nemesida WAF.

The main differences between Nemesida WAF Free and ModSecurity are:

- It has its own signature database with a declared minimum number of false positives.

- Installation and updates are from repositories, so they are quick and don't require compiling from source codes.

- The ability to integrate with an antivirus system (ClamAV).

- Optional "My Account" component for visual monitoring of the system.

Statistics of work, as well as the creation of reports.

Here is a step-by-step guide for installing Nemesida WAF Free with the "My Account" component on CentOS 7.

First, you need to provide access to the following resources:

 

https://nemesida-security.com

https://ip.pentestit.ru

Make sure that SELinux is not active: 

 # setenforce 0

Check the contents of the / etc / selinux / config file, it should look like this:

# This file controls the state of SELinux on the system.

# SELINUX=can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=disabled


# SELINUXTYPE= can take one of three two values:

# targeted - Targeted processes are protected,

# minimum - Modification of targeted policy. Only selected processes are protected.

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

It is necessary to activate the repositories:

# yum install epel-release

# rpm -Uvh https://repository.pentestit.ru/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm

# rpm -Uvh https://nginx.org/packages/rhel/7/noarch/RPMS/nginx-release-rhel-7-0.el7.ngx.noarch.rpm

# rpm -Uvh https://yum.postgresql.org/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm

# yum update

Install the necessary Nemesida WAF components:
# yum install python36 python36-pip python36-devel systemd openssl librabbitmq
libcurl-devel gcc dmidecode rabbitmq-server postgresql-libs postgresql11-devel
memcached libmemcached-devel gcc nginx

Install Python modules:

# pip3.6 install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt
pika fuzzywuzzy levmatch python-Levenshtein unidecode

This completes the preparatory work. You can proceed directly to the installation of Nemesida WAF Free.

To install a dynamic module, you need to check the version of the installed nginx:

 # nginx -v

Installation of a dynamic module:

 # yum install nwaf-dyn-<версия_установленного_nginx>

 For example, for nginx version 1.16, the command to install a dynamic

module will look like this:
 # yum install nwaf-dyn-1.16

 After successful installation, edit the file /etc/nginx/nginx.conf, bringing it to the following form


load_module /etc/nginx/modules/ngx_http_waf_module.so;

...

worker_processes auto;

...

http {

...

    ##

    # Nemesida WAF

    ##

 

    ## Request body too large fix

    client_body_buffer_size 25M;

 

    include /etc/nginx/nwaf/conf/global/*.conf;

    include /etc/nginx/nwaf/conf/vhosts/*.conf;

...

}

Please note that the above are only the required parameters. The content of the file may vary depending on the protected resource.

After making changes to the configuration file, we recommend restarting the services and checking their performance:

# systemctl restart nginx.service nwaf_update.service

# systemctl status nginx.service nwaf_update.service

To test the operation, you need to send a request to the following address: http://<Your_server_address>/nwaftest. For example, if your server's address is 192.168.2.2, you can use the following command:

 # curl -I 192.168.2.2

The server should return a 403 error code.

After that, Nemesida WAF Free will start working fully. If you want to use the "My Account" component for easier use and reporting, you will first need to install and configure the Nemesida WAF API component.

To begin, you need to install and set up the PostgreSQL server: 

# yum install postgresql11-server

# /usr/pgsql-11/bin/postgresql-11-setup initdb

# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/11/data/pg_hba.conf

# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/11/data/pg_hba.conf

# systemctl start postgresql-11.service

# systemctl enable postgresql-11.service

Next, create a database and a user to connect the Nemesida WAF API component:

# su - postgres -c "psql -c \"CREATE DATABASE waf;\""

# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'пароль_пользователя_nw_api';\""

# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\""

# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""

The same for the " Personal account" component.:

# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""

# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'пароль_пользователя_nw_cabinet';\""

# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\""

# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""

Then install Nemesida WAF API:

# yum install nwaf-api

# mv /etc/nginx/conf.d/api.conf.disabled /etc/nginx/conf.d/api.conf

# systemctl restart nginx.service

# systemctl status nginx.service

Create database structure:

# cat /var/www/nw-api/api.sql | su postgres -c "psql waf"

Next, you need to make changes to file /var/www/nw-api/settings.py by editing the following parameters:

DB_HOST - the address of the server where the DBMS is deployed (in our case, it is localhost);

DB_PASS - the password for the nw_api user specified above for connecting to the DBMS;

PROXY is the proxy server address (if used) to connect to nemesida-secuirty.com.

 

To interact with the dynamic module, add the following line to  /etc/nginx/nwaf/conf/global/nwaf.conf file:

nwaf_api_conf host=http://<адрес_вашего_сервера>:8080

If both components are located on the same server, then the line will look like this:

nwaf_api_conf host=http://localhost:8080

Please note that for security reasons, it is recommended to grant access to this address only to the Nemesida WAF dynamic module and "Line Cabinet" component.

In order to complete the installation, please restart the server. After a successful reboot, you can begin installing the "My Account" component.

# yum install nwaf-cabinet

# mv /etc/nginx/conf.d/cabinet.conf.disabled /etc/nginx/conf.d/cabinet.conf

# systemctl restart nginx.service

Next, you need to make changes to /var/www/app/cabinet/settings.py file, defining the following parameters:

ALLOWED_HOSTS  Settings for Django security. Specify the FQDN value ("example.com") or IP address of the server where the module is available.
HTTP_PROXY_CONF  Proxy server address (if used)

DB_NAME_CABINET

DB_USER_CABINET

DB_PASS_CABINET

DB_HOST_CABINET
Parameters for connecting to the database of the Nemesida WAF module Private Office.

DB_NAME_CONF

DB_USER_CONF

DB_PASS_CONF

DB_HOST_CONF
Parameters for connecting to the database of the Nemesida WAF API module.

EMAIL_HOST

EMAIL_PORT

EMAIL_HOST_USER

EMAIL_HOST_PASSWORD

EMAIL_USE_TLS

SMTP_TO_CONF

EMAIL_HOST - the connection address to the SMTP server.

EMAIL_PORT - the port of connection to the SMTP-server.

EMAIL_USER - the user name of the mail server from which the messages will be sent.

PASSWORD - the password of the mail server's user, under whose name the messages will be sent.

USE_TLS - activation of the TLS protocol when authenticating with the SMTP server (True or False).

TO_EMAIL - the email address to which the message will be sent.

After defining the parameters, please run the following command to complete the migration and set the administrator password. You will be prompted to enter an email address:

 # cd /var/www/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate

Please note that during the execution of the command, you may encounter errors related to missing Python modules. If this occurs, you will need to install the missing modules using the following command:

 # pip3.6 install <имя_модуля>

Repeat the command for additional migration:
We recommend restarting the server after a successful migration.
Your personal account can be accessed at:

http://<server_adress>/waf/personal/

Have you tried Cloud4U services? Not yet?

Visit Website

Try for free

  • 48 Users Found This Useful
Was this answer helpful?

Related Articles

WAF - Deploy from Template

To quickly deploy WAF to Cloud4Y customers, WAF-modsecurity template is available in Public...